{"id":"CVE-2026-30827","summary":"express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting (all IPv4 clients share one bucket on dual-stack servers)","details":"express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6() returns true for. This includes IPv4-mapped IPv6 addresses (::ffff:x.x.x.x), which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all IPv4-mapped addresses are zero, a /56 (or any /32 to /80) subnet mask produces the same network key (::/56) for every IPv4 client. This collapses all IPv4 traffic into a single rate-limit bucket: one client exhausting the limit causes HTTP 429 for all other IPv4 clients. This issue has been patched in versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0.","aliases":["GHSA-46wh-pxpv-q5gq"],"modified":"2026-04-10T05:42:34.695204Z","published":"2026-03-07T05:19:08.206Z","related":["CGA-c274-w4fw-m9j8"],"database_specific":{"cwe_ids":["CWE-770"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30827.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30827.json"},{"type":"ADVISORY","url":"https://github.com/express-rate-limit/express-rate-limit/security/advisories/GHSA-46wh-pxpv-q5gq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30827"},{"type":"FIX","url":"https://github.com/express-rate-limit/express-rate-limit/commit/14e53888cdfd1b9798faf5b634c4206409e27fc4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/express-rate-limit/express-rate-limit","events":[{"introduced":"c299d5c89f9a75e52bfc28b81c22df0f059520e8"},{"fixed":"54a685fbc4e8f88839349677e54e52380ad374c8"}],"database_specific":{"versions":[{"introduced":"8.0.0"},{"fixed":"8.0.2"}]}},{"type":"GIT","repo":"https://github.com/express-rate-limit/express-rate-limit","events":[{"introduced":"60619359e1a479cceaf5893c0eb4ec68a99d5347"},{"fixed":"1c572187e1e70672ec75761d561be8df3d304931"}],"database_specific":{"versions":[{"introduced":"8.1.0"},{"fixed":"8.1.1"}]}},{"type":"GIT","repo":"https://github.com/express-rate-limit/express-rate-limit","events":[{"introduced":"37347330ecb5e0f6e34a278fa77502b3572f57f7"},{"fixed":"a009ad6488448515b219eb9f4203c725eb328c8e"}],"database_specific":{"versions":[{"introduced":"8.2.0"},{"fixed":"8.2.2"}]}}],"versions":["v8.0.0","v8.0.1","v8.1.0","v8.2.0","v8.2.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30827.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}